The next step of the UK’s battle against coronavirus has been rolled out, months after it was abandoned because the system couldn’t cope with the influx of cases. Contact tracing, where anyone who tests positive for Covid-19 is quizzed about their recent movements, and people who have been in close proximity with them are contacted and told to self-isolate, has been launched.
But people have questions. There are fears that the way in which the system works, with potentially at-risk people contacted by email, phone or text message, could be an easy way for scammers to con victims out of personal details and potentially money. Jenny Harries, England’s deputy chief medical officer, said on May 31 she thought it would be “very obvious” when someone was calling from the official government track and trace programme because they “are professionally trained individuals and sitting over them are a group of senior clinical professionals.” That’s despite fact that multiple reports have shown other organisations showing track and trace call centre workers have been given minimal training or preparation.
“The fact that Dr Harries wasn’t better briefed to answer a question about that is surprising,” says Jessica Barker, a cybersecurity researcher. “It potentially speaks to the mindset that security wasn’t at the heart of this.”
A spokesperson for the Department for Health and Social Care said its testing and tracing scheme is “vitally important” in helping prevent the spread of Covid-19. “We have been working with the police and the National Cyber Security Centre, who have advised on measures to keep the public safe,” the spokesperson said. They added staff working for Test and Trace would not ask for financial details, PINs or passwords. “They will also never visit your home,” the spokesperson said.
“They’ve just not thought about scams; haven’t given it a thought. It’s such a shame,” says Richard De Vere of The Antisocial Engineer, a Barnsley-based social engineering consultancy. “My anger comes from the fact that the National Cyber Security Centre (NCSC) are knocking out some really good advice about this topic, and it’s just being ignored.”
Others agree. “It really is crap, isn’t it?” says Polly McKenzie of the Demos think tank, which has previously published a report on protecting vulnerable communities from fraud.
The concern is that scammers will use the opportunity to glean personal information about people that can then be used to defraud them, stealing money and accessing people’s bank and social media accounts. The official contact tracers will ask for your name, date of birth and postcode – information that could be potentially useful for accessing private accounts – alongside information such as your NHS number and the contact details of anyone you’ve been in the same place with. There’s evidence it’s already happening. The NCSC, part of GCHQ, announced in late April that it had already taken down 2,000 scams preying on people by offering them coronavirus-related services.
A checklist of ways to make sure you don’t get scammed has been published by the government, though not all of them are foolproof. The list recommends people check the phone number from which the person claiming to be a contact tracer has called you: the official programme will use the number 0300 013 5000. However, Alexis Conran, a fraud expert who has hosted television shows on how to con people, has demonstrated that can be easily spoofed by a commercially available phone app. “If your guidelines are, ‘Look at the number, is it the official number of the NHS,’ I’m afraid you are putting people in harm’s way,” says Conran. “They will no longer be thinking about the content of the call.
“If you receive a call and the caller ID is shown on the phone, that caller ID is not verified at all,” says Feng Hao of Warwick University’s department of computer science, who has studied phone spoofing. “It can be easily spoofed. There’s software to do that.” Hao and colleagues at Warwick University are trying to prevent this from happening in the future by screening calls at a phone level before they ring, making sure the identity of the caller is verified.
The government will also be sending out texts informing people they’ve potentially come into contact with someone who is Covid-positive, but will be sending the messages from “NHS”. That’s a problem, says De Vere. “Text messages are inherently weak,” he explains. “Anyone can spoof a message sender.” The government could have headed off this issue by blocking anyone bar one number sending out messages claiming to be from the NHS – banks, including NatWest, have put blocks in place on their company names – but would have run into an issue. Thousands of doctors surgeries across the country send out messages with an “NHS” sender ID. Instead, De Vere believes they should have used an alternative sender ID, such as “Gov tracing”, that they could have more tightly secured.
The problem is compounded by what the government test and trace system then wants people who receive the message to do: to open a link sent by text message. The official URL – contact-tracing.phe.gov.uk – is a jumble of dashes and dots. De Vere has registered a similar-looking URL, from which he could theoretically launch phishing attacks that collect personal information. He says that the government should have used a suffix for the URL (so, gov.uk/contacttracing, rather than a prefix like contact-tracing.phe.gov.uk) to make it more difficult to register similar-looking URLs.
The official advice makes clear that contact tracers will never ask for any payment, details of bank accounts, or passwords or PINs – but that overlooks how scams work. They leverage social engineering. Humans are often the biggest weakness in a system. “The government have decided this is low risk,” says McKenzie. “’Nobody is going to be asked to give money.’ But if you know anything about scams, you know people are routinely asked for money in completely implausible ways that they nevertheless move forward with.”
McKenzie points out that the people contacted are likely to be vulnerable and isolated. “People who are vulnerable and isolated are targeted systematically again and again,” she says. “What this pandemic has done is made a whole load of people more vulnerable.” One of the best defences against scams is to sense-check any actions with someone else, but at the same time, we’re being told to stay at home and not interact with others.
There are a number of ways scammers could shift a purported contact tracing call into getting someone’s bank details: they could say that the two-week self-isolation period would allow people to claim statutory sick pay, and ask for bank account details to help that. They could offer to help set up food delivery parcels, knowing the person would have to stay indoors, and ask for payment towards that. “Because it’s new, you haven’t got that sense of what’s right and wrong,” says McKenzie. “This is the first time most people will receive a track and trace-type call,” adds Conran. “It’s different if you’re being contacted by your doctor, bank or school. We know what the protocol is there. With this, we don’t know how the call should go.”
“Legitimate contact tracing callers will only ask for basic information, so it is vital that people remain vigilant and report any unsolicited calls and texts requesting payment or sensitive information,” says Kate Bevan, computing editor at Which?. “Do not share bank details, passwords or click on any links in unexpected emails or texts.”
The UK’s approach to proactively seeing potential pitfalls and plugging them seems to lag behind other countries as they roll out track and tracing regimes. The US Federal Trade Commission has proactively told Americans to set up spam filters on their phones and implement multi-factor authentication on online accounts to stop the risk from scams. India has asked bug bounty hunters to spot any security issues with its app. And while it’s not a model for much, with the system being used to stymie the spread of independent information that could criticise the way the country is run, one byproduct of China’s rigorous control on messaging means it’s not possible to spoof the sender of an SMS or put a link in a text message, claims De Vere.
Those with experience of scams and the way scammers work are worried. “Nobody expects Jenny Harries to know anything about financial crime,” says McKenzie. “But there are people in the government who know about financial crime, and there are lots of people who know about this – so why haven’t they been asked? It’s madness to me not to recognise this is a risk.”
More great stories from WIRED
🤑 Inside the ‘bullshit’ get-rich-quick world of dropshipping
🎵 The secret behind the success of Apple’s AirPods
📖 How coronavirus kills, one organ at a time
🎲 The best board games for adults and families
🔒 The UK’s lockdown rules, explained